-
Notifications
You must be signed in to change notification settings - Fork 682
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
global buffer overflow in ValidatePostScriptFontName (parsettf.c) #3098
Comments
ahah... hah... ...or not... sigh... FontForge actually defines its own isdigit... @JoesCat it looks like it's generated from makeutype, so it should probably be fixed there. |
isdigit() is just one of the several defines that I think are better-off being made into functions that can return errors instead of simple mask-checks. If you look at the other defines, they can probably also be lumped into this same CVE in my opinion ...because someone can eventually find a creative way to break them too. ;-) I can understand GW choosing this speedy-code-conserving method back in 200x when computers had less power and less internet access, especially for the size of FontForge which was basically one computer==one user, and did not have collaboration available then either. |
This neither crashes nor generates nasty Valgrind in current master. Are you still able to reproduce it? |
Update from unicode charts 9.0 to unicode charts 11.0, closes fontforge#3304 Fixed some c<->po copy-pastes in makeutype.c that prevented running correctly, then expand lig-tables for added ligatures found in 11.0. fontforge/unicoderange.c required manual edits from 9.0 to 11.0, this basically is comparing libuninameslist blocks and unicode.org blocks.txt. Some names appear to have changed, but oddly, no name conflicts were found using Unicode/makeudiff.c, so it looks more like maybe these were possibly custom block names to begin with. Minor upgrade of fontforgeexe/charinfo.c to include all vulgar fracs however, need to investigate how can these two functions be expanded since additional ligatures exist now, but these two functions appear to run multi-function features beyond just ligatures and fractions. This only touches issue fontforge#3306 Modified makeutype.c to insert mytoupper[0xdf]=0x1e9e if 0xdf found. Turned #defines {isdigit() and friends} to functions in makeutype.c and utype.h to stop utype.c table overflows, or push the problem to be resolved in higher level caller functions. These are the defines referred to in makeutype.c - this improves fontforge#3098 by staying within table limits or returning an error. Defines replaced by functions: ff_unicode_tolower, ff_unicode_toupper, ff_unicode_totitle, ff_unicode_tomirror, ff_unicode_digitval, plus utype and utype2 This should improve or close a cluster of buffer overflows since these functions stay with limits and cannot segfault or overflow. makebuildtables.c, README.TXT, gdraw/gdrawbuildchars patched/updated.
* Unicode 11.0 Update from unicode charts 9.0 to unicode charts 11.0, closes #3304 Fixed some c<->po copy-pastes in makeutype.c that prevented running correctly, then expand lig-tables for added ligatures found in 11.0. fontforge/unicoderange.c required manual edits from 9.0 to 11.0, this basically is comparing libuninameslist blocks and unicode.org blocks.txt. Some names appear to have changed, but oddly, no name conflicts were found using Unicode/makeudiff.c, so it looks more like maybe these were possibly custom block names to begin with. Minor upgrade of fontforgeexe/charinfo.c to include all vulgar fracs however, need to investigate how can these two functions be expanded since additional ligatures exist now, but these two functions appear to run multi-function features beyond just ligatures and fractions. This only touches issue #3306 Modified makeutype.c to insert mytoupper[0xdf]=0x1e9e if 0xdf found. Turned #defines {isdigit() and friends} to functions in makeutype.c and utype.h to stop utype.c table overflows, or push the problem to be resolved in higher level caller functions. These are the defines referred to in makeutype.c - this improves #3098 by staying within table limits or returning an error. Defines replaced by functions: ff_unicode_tolower, ff_unicode_toupper, ff_unicode_totitle, ff_unicode_tomirror, ff_unicode_digitval, plus utype and utype2 This should improve or close a cluster of buffer overflows since these functions stay with limits and cannot segfault or overflow. makebuildtables.c, README.TXT, gdraw/gdrawbuildchars patched/updated. * Fix makebuildtables.c to output copyright in gdrawbuildchars.c Align define values for readability
Closing as not reproducible. |
* Unicode 11.0 Update from unicode charts 9.0 to unicode charts 11.0, closes fontforge#3304 Fixed some c<->po copy-pastes in makeutype.c that prevented running correctly, then expand lig-tables for added ligatures found in 11.0. fontforge/unicoderange.c required manual edits from 9.0 to 11.0, this basically is comparing libuninameslist blocks and unicode.org blocks.txt. Some names appear to have changed, but oddly, no name conflicts were found using Unicode/makeudiff.c, so it looks more like maybe these were possibly custom block names to begin with. Minor upgrade of fontforgeexe/charinfo.c to include all vulgar fracs however, need to investigate how can these two functions be expanded since additional ligatures exist now, but these two functions appear to run multi-function features beyond just ligatures and fractions. This only touches issue fontforge#3306 Modified makeutype.c to insert mytoupper[0xdf]=0x1e9e if 0xdf found. Turned #defines {isdigit() and friends} to functions in makeutype.c and utype.h to stop utype.c table overflows, or push the problem to be resolved in higher level caller functions. These are the defines referred to in makeutype.c - this improves fontforge#3098 by staying within table limits or returning an error. Defines replaced by functions: ff_unicode_tolower, ff_unicode_toupper, ff_unicode_totitle, ff_unicode_tomirror, ff_unicode_digitval, plus utype and utype2 This should improve or close a cluster of buffer overflows since these functions stay with limits and cannot segfault or overflow. makebuildtables.c, README.TXT, gdraw/gdrawbuildchars patched/updated. * Fix makebuildtables.c to output copyright in gdrawbuildchars.c Align define values for readability
Testcase:
https://github.com/gnehsoah/poc/blob/master/fontforge/ValidatePostScriptFontName-in-parsettf.c-global-buffer-overflow.otf
The text was updated successfully, but these errors were encountered: